OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10128 confirms this npm version as malicious. ohcm-culture-formatting@5.0.0 declares a preinstall hook (`"preinstall": "node index.js"`) that auto-executes on `npm install`. index.js uses `child_process.exec` to run a shell pipeline that reads `/etc/passwd`, `/etc/hosts`, `/etc/shadow`, and `id` output, base64-encodes the concatenation, and POSTs it via curl to `http://d98fu4tmls2g936th9qgfxje1qj9g91a6.oast.fun/ohcm-culture-formatting/$(whoami)/$(hostname)/`,...
Advisory
MAL-2026-10128
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in ohcm-culture-formatting (npm)
Details
ohcm-culture-formatting@5.0.0 declares a preinstall hook (`"preinstall": "node index.js"`) that auto-executes on `npm install`. index.js uses `child_process.exec` to run a shell pipeline that reads `/etc/passwd`, `/etc/hosts`, `/etc/shadow`, and `id` output, base64-encodes the concatenation, and POSTs it via curl to `http://d98fu4tmls2g936th9qgfxje1qj9g91a6.oast.fun/ohcm-culture-formatting/$(whoami)/$(hostname)/`, embedding the installer's username and hostname in the URL path and the file contents in the User-Agent header. The destination is an Interactsh/OAST out-of-band interaction collector. The package name mimics an internal ADP/Lifion (`ohcm-*`) namespace and the description string is `Lifion host`, consistent with a dependency-confusion payload targeting that internal namespace.
Decision reason
OpenSSF Malicious Packages via OSV confirms ohcm-culture-formatting@5.0.0 as malicious (MAL-2026-10128): Malicious code in ohcm-culture-formatting (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory